R7800 openfortivpn & Iptables , how do i make it work ?

[HUHA]

Hello.
I have an R7800 with Router Firmware Version V1.0.2.83SF and i installed openfortivpn - 1.15.0-1 which is creating interface PPP1. I can connect to the VPN at work, but from the LAN i can not acces the servers at work.

Everything is done from the router, via SSH.
Ping-ing a server 10.141.141.245 from work has no reply, but if i enter this command

iptables -I INPUT -i ppp1 -j ACCEPT

ping is starting to respond, but i can not telnet to 10.141.141.245.

root@Router:~$ telnet 10.141.141.245
telnet: cannot connect to remote host (10.141.141.245): Connection refused

If i try traceroute

root@Router:~$ traceroute 10.141.141.245
traceroute to 10.141.141.245 (10.141.141.245), 30 hops max, 38 byte packets
1 traceroute: sendto: Operation not permitted

If i enter

root@Router:/usr/sbin$ net-wall stop
Stopping Firewall...
Done!
iptables: Bad rule (does a matching rule exist in that chain?).
iptables: Bad rule (does a matching rule exist in that chain?).

then i can use and telnet 10.141.141.245 and is working , but i lost all connection to the internet from my LAN network . Because of this i have to start net-wall again and i loose the ping and telnet.

root@Router:/usr/sbin$ net-wall start
Starting Firewall...
Done!

So what rules i must enter with IPTABLES to be able that my router should permit to my LAN network , to acces my server at work, via the VPN connection ? i will attached IPTABLES -L and route


Do you need other informations ?


Thank you

 

[HUHA]

this is my ROUTE output with vpn on

root@Router:~$ route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 10.0.0.1 0.0.0.0 UG 0 0 0 ppp0
10.0.0.1 * 255.255.255.255 UH 0 0 0 ppp0
10.56.4.0 * 255.255.255.0 U 0 0 0 ppp1
10.56.5.0 * 255.255.255.0 U 0 0 0 ppp1
10.141.141.0 * 255.255.255.0 U 0 0 0 ppp1
10.237.42.0 * 255.255.255.0 U 0 0 0 ppp1
109.XXX.XXX.186 10.0.0.1 255.255.255.255 UGH 0 0 0 ppp0
192.0.2.1 * 255.255.255.255 UH 0 0 0 ppp1
192.168.2.0 * 255.255.255.0 U 0 0 0 br0
239.0.0.0 * 255.0.0.0 U 0 0 0 br0

 

[HUHA]

I see that instead of
root@Router:/usr/sbin$ net-wall stop

i can use iptables -I OUTPUT -o ppp1 -j ACCEPT

and telnet 10.141.141.245 is working from router, but not from my PC which is connected via lan cable to the router.

Now even if i can connect from the router using
iptables -I INPUT -i ppp1 -j ACCEPT
iptables -I OUTPUT -o ppp1 -j ACCEPT
, is not working from PC .

What can i do further ?

 

[HUHA]

I did not mention this :
when the VPN client connects to VPN server is showing this

DEBUG: Interface Name: ppp1
DEBUG: Interface Addr: 10.212.134.17

When i am ping-ing from the router to 10.141.141.245 in vpn debug i see this in both ways :

DEBUG: pppd ---> gateway (86 bytes)
DEBUG: gateway ---> pppd (86 bytes)
DEBUG: pppd ---> gateway (86 bytes)
DEBUG: gateway ---> pppd (86 bytes)
DEBUG: pppd ---> gateway (86 bytes)
DEBUG: gateway ---> pppd (86 bytes)
because he sees the originating IP = 10.212.134.17

But whn i am ping-ing 10.141.141.245 from my PC in lan 192.168.2.51 i see one way :

DEBUG: pppd ---> gateway (62 bytes)
DEBUG: pppd ---> gateway (62 bytes)
DEBUG: pppd ---> gateway (62 bytes)
DEBUG: pppd ---> gateway (62 bytes)
because VPN Server sees the originating IP = 192.168.2.51

Maybe the VPN server is not allow to reply to ping to 192.168.2.51 ?
In this case how can i modify the packets from LAN PC = 192.168.2.XXX to 10.141.141.245 , to become like from 10.212.134.17 which is assing by VPN tunnel ? is there a way ?

Thank you.

 

[HUHA]

i found about tcpdump . I run it on router, tcpdump -i ppp1

After i start openfortivpn interface =ppp1 and ip = 10.212.134.17 , i try a ping 10.56.4.21

20:33:07.375390 IP 10.212.134.17 > 10.56.4.21: ICMP echo request, id 39201, seq 0, length 64
20:33:07.440994 IP 10.56.4.21 > 10.212.134.17: ICMP echo reply, id 39201, seq 0, length 64
20:33:07.441057 IP 10.212.134.17 > 10.56.4.21: ICMP 10.212.134.17 protocol 1 port 34855 unreachable, length 92
20:33:08.375889 IP 10.212.134.17 > 10.56.4.21: ICMP echo request, id 39201, seq 1, length 64
20:33:08.440401 IP 10.56.4.21 > 10.212.134.17: ICMP echo reply, id 39201, seq 1, length 64
20:33:08.440463 IP 10.212.134.17 > 10.56.4.21: ICMP 10.212.134.17 protocol 1 port 2353 unreachable, length 92


i run
iptables -I INPUT -i ppp1 -j ACCEPT
iptables -I OUTPUT -o ppp1 -j ACCEPT

and again ping 10.56.4.21 and i get reply :

20:34:55.709754 IP 10.212.134.17 > 10.56.4.21: ICMP echo request, id 15139, seq 0, length 64
20:34:55.775421 IP 10.56.4.21 > 10.212.134.17: ICMP echo reply, id 15139, seq 0, length 64
20:34:56.710254 IP 10.212.134.17 > 10.56.4.21: ICMP echo request, id 15139, seq 1, length 64
20:34:56.775015 IP 10.56.4.21 > 10.212.134.17: ICMP echo reply, id 15139, seq 1, length 64


Now i try a ping 10.56.4.21 from LAN laptop=192.168.2.51 and no reply

20:36:39.149710 IP 192.168.2.51 > 10.56.4.21: ICMP echo request, id 1, seq 13940, length 40
20:36:44.094915 IP 192.168.2.51 > 10.56.4.21: ICMP echo request, id 1, seq 13946, length 40

i run this on router
iptables -t nat -A POSTROUTING -o ppp1 -j MASQUERADE
to change the original packets from LAN source 192.168.2.51 to ppp1 interface ip = 10.212.134.17


and again a ping 10.56.4.21 from laptop 192.168.2.51 , the result is

20:39:00.605630 IP 10.212.134.17 > 10.56.4.21: ICMP echo request, id 1, seq 14086, length 40
20:39:00.670422 IP 10.56.4.21 > 10.212.134.17: ICMP echo reply, id 1, seq 14086, length 40
20:39:00.670516 IP 10.212.134.17 > 10.56.4.21: ICMP 10.212.134.17 protocol 1 port 7765 unreachable, length 68
20:39:05.609004 IP 10.212.134.17 > 10.56.4.21: ICMP echo request, id 1, seq 14092, length 40
20:39:05.674484 IP 10.56.4.21 > 10.212.134.17: ICMP echo reply, id 1, seq 14092, length 40
20:39:05.674546 IP 10.212.134.17 > 10.56.4.21: ICMP 10.212.134.17 protocol 1 port 7759 unreachable, length 68


i see i send a ping to 10.56.4.21 and is replying back to 10.212.134.17 , but on the 3rd line i get this
20:39:00.670516 IP 10.212.134.17 > 10.56.4.21: ICMP 10.212.134.17 protocol 1 port 7765 unreachable, length 68

how can i instruct the router to direct the reply back to my lan laptop 192.168.2.51 which is the source of the ping ?


What else can i try ?

Thank you